Subject: Re: now using rsa key, so zapped password; is that okay?
To: henry nelson <netb@irm.nara.kindai.ac.jp>
From: Andrew Brown <atatat@atatdot.net>
List: netbsd-help
Date: 09/25/2002 08:55:39
>The more I use ssh, the more I like it, but the more I find I don't
>understand.  So today I got rsa authorization to work, and realized
>I don't need a password anymore (this particular user never logs
>in via the console, only remotely via ssh).  I did vipw as root and
>replaced the password string with '*' as it seemed like it would make
>things only that more secure for users like that.
>
>Question1: will that cause trouble in some unforeseen way?  Question2:
>is there a "better" or more "standard" way of blocking logins with a plain
>password?  TIA  

that's a perfectly reasonable thing to do, except it means you can't
tell the disabled accounts from the accounts people are using from the
system accounts, etc.

what i normally, do in case like this, is set the password field for
the user in question to "SSHLoginsOnly".  that's a very accurate
description of the account, and also happens to be 13 characters, so
the /etc/security script won't complain of a bad password or a
disabled account that still has a valid shell.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."